Fichier Kimliği
| SHA256 | 5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042 |
|---|---|
| MD5 | 6b3e4790971c4541f567eb04d06152fb |
| SHA1 | 4bc8d8699e928d8f1c72607d6b85bd585f0beda7 |
| Nom du fichier | Purchase order.exe |
| Taille | 1586817 byte |
| Type | /opt/ksentinel/samples/5a505f489d40c545_Purchaseorder.exe: PE32+ executable (GUI) x86-64 Mono/.Net a |
| Date de compilation | Inconnu |
| Packer | UPX |
C2 Sunucuları / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
System.IO | Domain | active |
Tespit Edilen IOC'lar
| Valeur | Tip |
|---|---|
System.IO | Domain |
Yetenekler
- —
Şifreleme: RijndaelManaged
Base64 Decode:
B64:FixedSizeUnsafeQueueNativeOverlapped => ,^u( B64:getIsUnicodeClassFileStreamInformation => y+ky B64:getLastWriteTimeUtcThreadStartException => +^N) B64:getPositiveInfinitySymbolGetStartComSlot =>
Geliştirici İpuçları
Telegram: @0nQzB @ceaAW @eSdl @GOL25 @KMlxE
PE Analizi
PE Confiancelik Taraması
file entropy: 6.098944 (normal) fpu anti-disassembly: no imagebase: normal entrypoint: null DOS stub: normal TLS directory: not found timestamp: future time section
Import Tablosu (özet)
Imported functions
Famille Tespiti — String Kanıtı
String kanıtı bulunamadı (obfuscated).
AgentTesla — Profil du malware
AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.
Détails techniques
C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot
Attribution / Acteur de la menace
Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.
Capacités et comportement
Liste IOC (4 indicateurs)
#
4bc8d8699e928d8f1c72607d6b85bd585f0beda7
# SHA256
5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042
# MD5
6b3e4790971c4541f567eb04d06152fb
# DOMAIN
System.IO
| Type | Valeur | Note |
|---|---|---|
| 4bc8d8699e928d8f1c72607d6b85bd585f0beda7 | ||
| sha256 | 5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042 | |
| md5 | 6b3e4790971c4541f567eb04d06152fb | |
| domain | System.IO |
Serveurs C2 (8 serveurs enregistrés pour cette famille)
| Adresse | Type | Port | Protocole | Statut | Pays |
|---|---|---|---|---|---|
| digicert.com | domain | — | TCP | active | — |
| stem.ru | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| dublincore.org | domain | — | TCP | active | — |
| googleapis.com | domain | — | TCP | active | — |
| microsoft.com | domain | — | TCP | active | — |
| freightfacilitators.com | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.